Hi
Our company has a use case in which our domain is a tomcat process. In our code, we support a parallel protocol which uses In memory based jaas configuration -
public class OurLoginConfiguration extends Configuration
In IBM JDK 7, we need to initiate using keytab which needs the system property javax.security.auth.useSubjectCredsOnly to be set to true for it to work. However Tomcat sets it in
Inside SpnegoAuthenticator:-
protected void initInternal() throws LifecycleException {
super.initInternal();
// Kerberos configuration file location
String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
if (krb5Conf == null) {
// System property not set, use the Tomcat default
File krb5ConfFile = new File(Bootstrap.getCatalinaBase(),
Constants.DEFAULT_KRB5_CONF);
System.setProperty(Constants.KRB5_CONF_PROPERTY,
krb5ConfFile.getAbsolutePath());
}
// JAAS configuration file location
String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
if (jaasConf == null) {
// System property not set, use the Tomcat default
File jaasConfFile = new File(Bootstrap.getCatalinaBase(),
Constants.DEFAULT_JAAS_CONF);
System.setProperty(Constants.JAAS_CONF_PROPERTY,
jaasConfFile.getAbsolutePath());
}
// This property must be false for SPNEGO to work
System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY, "false");
}
as false in the last line which causes havoc in the code. A multithreaded startup causes a breakdown in further authentication for keytab based logging.
Now a little more investigation revealed that tomcat acts only as an acceptor. Now this property need not necessarily be set to false for it to work(in both IBM and SUN JDK).
Source of claim - http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Excerpt:-
2. Direct JGSS:
/* JGSS-API calls... */
In this case, the JAAS config file's entry name MUST be the
standard entry name (com.sun.security.jgss.krb5.initiate), and you
must set -Djavax.security.auth.useSubjectCredsOnly=false on the
Java command line. Read
[26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs
s/tutorials/BasicClientServer.html for details.
Which means only initiate based auth needs the system property.
This is also confirmed in IBM with a sample program.
PROPOSED FIX: COMMENT LAST LINE OF initInternal WHICH SETS THE SYSTEM PROPERTY IN THE FIRST PLACE AS FALSE.

Thanks for the updated patch.
I have confirmed in my test environment that removing this line does not break SPNEGO authentication so I have applied the patch to trunk and 7.0.x. It will be included in 8.0.0-RC6 and 7.0.48 onwards.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.